SOLVED Should Server Side Includes be disabled?

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi,

Should Server Side Includes (SSI) be disabled? (from a security point of view)

And *could* SSI be disabled? Does anything rely on it from a cPanel/WHM point of view?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello,

Server-side includes are enabled or disabled via the following Apache options:

Includes - Server-side includes provided by mod_include are permitted.
IncludesNOEXEC - Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories
"Includes" is disabled by default, but you enable or disable both options via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi @cPanelMichael

That's cool, good to know. I've noticed something 'off' though, whereby even though unticking Includes 'removes' Includes from the Directory / Options in /usr/local/apache/conf/httpd.conf, I can still use SSI on my domain.

Would you know why that might be?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
That's cool, good to know. I've noticed something 'off' though, whereby even though unticking Includes 'removes' Includes from the Directory / Options in /usr/local/apache/conf/httpd.conf, I can still use SSI on my domain.
Could you provide step-by-step instructions on how you are using SSI for the account? Also, do any entries exist within the .htaccess file under the document root?

Thank you.
 
  • Like
Reactions: ItsMattSon

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi,

I checked but I've got no .htaccess files in my public_html folder unfortunately.

I read that to test if SSI is enabled, I'd simply need to upload an index.shtml file to web root and add
Code:
<!--#echo var="DATE_LOCAL"-->
into the source, and if it displays the date in the browser then SSI is enabled (and it does show the date on the page, with or without Includes checked in "WHM Home » Service Configuration » Apache Configuration » Global Configuration")
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

Thank you.
 

ItsMattSon

Well-Known Member
Sep 5, 2016
182
38
103
Perth
cPanel Access Level
Root Administrator
Hi @cPanelMichael,

I can save you the trouble, I was really dumb this whole time...

In [Home »Service Configuration »Apache Configuration »Global Configuration], I was unchecking the Includes box but leaving the IncludesNOEXEC box ticked (which I guess kept Includes fully functional).

Unchecking both, Includes is no longer working (unless I override from web root with .htaccess Options).

To prevent that, I suspect I'll just have to rebuild EasyApache 4 without mod_include? I'm afraid I don't quite see mod_include in the list though?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
Hello,

The "AllowOverride" Apache configuration value controls what users can override through their .htaccess file. You can find more information on AllowOverride at:

core - Apache HTTP Server Version 2.4

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,226
463
It's compiled by default:

Code:
[[email protected] modules]# httpd -M|grep include
include_module (shared)
The following URL provides information about customizing EasyApache 4:

ea4.ninja

However, I don't recommend removing modules installed by default, as it's possible their inclusion is required for future or existing functionality.

Thank you.
 
  • Like
Reactions: ItsMattSon